Hiding information from visitors

Last updated June 10, 2012. Created by greggles on April 9, 2008.
Edited by Haarek, LeeHunter. Log in to edit this page.

If someone is attacking your site and is able to determine information about which version of Drupal or which specific modules or themes you are using it might make it easier for them to exploit a vulnerability.

This is not an important issue. There are other ways in which an attacker could determine information about your site. However, it's also a good practice to give a potential attacker as little information as possible. If you are one of the paranoid people who already keeps your site up to date and follows all the best practices listed in this section then the rest of this page may be interesting to you.

Directory Index Potential Problem

By default Drupal core ships with a directive in the .htaccess file which will give a "Forbidden" message if a user attempts to view a directory. For example, if you visit the sites/all/modules directory on drupal.org you should get a "Forbidden" 403 error message. This helps protect your site because people will not be able to probe your site for information about which modules you are using. If your web server does not allow configuration via the .htaccess file then this protection may not be in place. A good way to figure out if the .htaccess rule is working is to visit your sites directory (e.g. http://example.com/sites/ ) and see if you get a listing of files or just a "Forbidden" message.

Possible Solutions To the Directory Index Problem

You could alter your webserver's configuration so that this information is hidden - either on a server wide basis or just for your Drupal installation.

If you do not have access to the configuration files, you could also simply place an empty file named "index.php" or "index.html" into each directory on your site. If done properly then visitors to your site will see a blank page instead of the directory contents.

Error messages

Drupal core provides a feature to show error messages to site visitors. By default this feature is enabled which is very helpful while building a site because the visitor can quickly see the error messages. However, on a live site this feature should be disabled to avoid information disclosure such as the full filesystem path on the server or the structure of tables in a SQL error message.

Disabling display of error messages in Drupal 7

As an administrator, navigate to Home » Administration » Configuration » Development. Set the "Error messages to display" option to "None."

Disabling display of error messages in Drupal 6

As an administrator, navigate to Home » Administer » Site configuration. Set the "Error reporting" option to "Write errors to the log."

Disabling display of notices in PHP

PHP also has a configuration for which errors are shown. For production environments this value should be set to something that will not display notices such as E_ERROR.

To help identify this and other potential problems on a site, you should consider using the Security Review module.

CHANGELOG.txt, README.txt and others

There are many files in an installation such as CHANGELOG.txt and README.txt which may include version information. You could delete those files but they often contain useful information. A better solution is to simply move those files outside of the web accessible area of your installation or to simply rename them.

Again, it's more important to review other aspects of Secure Configuration of your site rather than worry about this information disclosure.